authlogic 4.5.0 → 6.4.2

data/lib/authlogic/acts_as_authentic/queries/find_with_case.rb

@@ -4,12 +4,25 @@ module Authlogic
   module ActsAsAuthentic
     module Queries
       # The query used by public-API method `find_by_smart_case_login_field`.
+      #
+      # We use the rails methods `case_insensitive_comparison` and
+      # `case_sensitive_comparison`. These methods nicely take into account
+      # MySQL collations. (Consider the case where a user *says* they want a
+      # case-sensitive uniqueness validation, but then they configure their
+      # database to have an insensitive collation. Rails will handle this for
+      # us, by downcasing, see
+      # `active_record/connection_adapters/abstract_mysql_adapter.rb`) So that's
+      # great! But, these methods are not part of rails' public API, so there
+      # are no docs. So, everything we know about how to use the methods
+      # correctly comes from mimicing what we find in
+      # `active_record/validations/uniqueness.rb`.
+      #
       # @api private
       class FindWithCase
         # Dup ActiveRecord.gem_version before freezing, in case someone
         # else wants to modify it. Freezing modifies an object in place.
         # https://github.com/binarylogic/authlogic/pull/590
-        AR_GEM_VERSION = ActiveRecord.gem_version.dup.freeze
+        AR_GEM_VERSION = ::ActiveRecord.gem_version.dup.freeze
 
         # @api private
         def initialize(model_class, field, value, sensitive)
@@ -21,44 +34,47 @@ module Authlogic
 
         # @api private
         def execute
-          bind(relation).first
+          @model_class.where(comparison).first
         end
 
         private
 
         # @api private
-        def bind(relation)
-          if AR_GEM_VERSION >= Gem::Version.new("5")
-            bind = ActiveRecord::Relation::QueryAttribute.new(
-              @field,
-              @value,
-              ActiveRecord::Type::Value.new
-            )
-            @model_class.where(relation, bind)
-          else
-            @model_class.where(relation)
-          end
+        # @return Arel::Nodes::Equality
+        def comparison
+          @sensitive ? sensitive_comparison : insensitive_comparison
         end
 
         # @api private
-        def relation
-          if !@sensitive
+        def insensitive_comparison
+          if AR_GEM_VERSION > Gem::Version.new("5.3")
+            @model_class.connection.case_insensitive_comparison(
+              @model_class.arel_table[@field], @value
+            )
+          else
             @model_class.connection.case_insensitive_comparison(
               @model_class.arel_table,
               @field,
               @model_class.columns_hash[@field],
               @value
             )
-          elsif AR_GEM_VERSION >= Gem::Version.new("5.0")
+          end
+        end
+
+        # @api private
+        def sensitive_comparison
+          bound_value = @model_class.predicate_builder.build_bind_attribute(@field, @value)
+          if AR_GEM_VERSION > Gem::Version.new("5.3")
+            @model_class.connection.case_sensitive_comparison(
+              @model_class.arel_table[@field], bound_value
+            )
+          else
             @model_class.connection.case_sensitive_comparison(
               @model_class.arel_table,
               @field,
               @model_class.columns_hash[@field],
-              @value
+              bound_value
             )
-          else
-            value = @model_class.connection.case_sensitive_modifier(@value, @field)
-            @model_class.arel_table[@field].eq(value)
           end
         end
       end

data/lib/authlogic/acts_as_authentic/session_maintenance.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Authlogic
   module ActsAsAuthentic
     # This is one of my favorite features that I think is pretty cool. It's
@@ -40,7 +42,7 @@ module Authlogic
         def log_in_after_create(value = nil)
           rw_config(:log_in_after_create, value, true)
         end
-        alias_method :log_in_after_create=, :log_in_after_create
+        alias log_in_after_create= log_in_after_create
 
         # In order to turn off automatic maintenance of sessions when updating
         # the password, just set this to false.
@@ -50,7 +52,7 @@ module Authlogic
         def log_in_after_password_change(value = nil)
           rw_config(:log_in_after_password_change, value, true)
         end
-        alias_method :log_in_after_password_change=, :log_in_after_password_change
+        alias log_in_after_password_change= log_in_after_password_change
 
         # As you may know, authlogic sessions can be separate by id (See
         # Authlogic::Session::Base#id). You can specify here what session ids
@@ -62,7 +64,7 @@ module Authlogic
         def session_ids(value = nil)
           rw_config(:session_ids, value, [nil])
         end
-        alias_method :session_ids=, :session_ids
+        alias session_ids= session_ids
 
         # The name of the associated session class. This is inferred by the name
         # of the model.
@@ -77,7 +79,7 @@ module Authlogic
                   end
           rw_config(:session_class, value, const)
         end
-        alias_method :session_class=, :session_class
+        alias session_class= session_class
       end
 
       # This module, as one of the `acts_as_authentic_modules`, is only included
@@ -91,9 +93,9 @@ module Authlogic
         end
 
         # Save the record and skip session maintenance all together.
-        def save_without_session_maintenance(*args)
+        def save_without_session_maintenance(**options)
           self.skip_session_maintenance = true
-          result = save(*args)
+          result = save(**options)
           self.skip_session_maintenance = false
           result
         end
@@ -114,7 +116,7 @@ module Authlogic
             session_class.activated? &&
             maintain_session? &&
             !session_ids.blank? &&
-            persistence_token_changed?
+            will_save_change_to_persistence_token?
         end
 
         def maintain_session?
@@ -174,7 +176,9 @@ module Authlogic
         end
 
         def log_in_after_password_change?
-          persistence_token_changed? && self.class.log_in_after_password_change
+          persisted? &&
+            will_save_change_to_persistence_token? &&
+            self.class.log_in_after_password_change
         end
       end
     end

data/lib/authlogic/acts_as_authentic/single_access_token.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module Authlogic
   module ActsAsAuthentic
-    # This module is responsible for maintaining the single_access token. For more
-    # information the single access token and how to use it, see the
-    # Authlogic::Session::Params module.
+    # This module is responsible for maintaining the single_access token. For
+    # more information the single access token and how to use it, see "Params"
+    # in `Session::Base`.
     module SingleAccessToken
       def self.included(klass)
         klass.class_eval do
@@ -25,10 +27,7 @@ module Authlogic
         def change_single_access_token_with_password(value = nil)
           rw_config(:change_single_access_token_with_password, value, false)
         end
-        alias_method(
-          :change_single_access_token_with_password=,
-          :change_single_access_token_with_password
-        )
+        alias change_single_access_token_with_password= change_single_access_token_with_password
       end
 
       # All method, for the single_access token aspect of acts_as_authentic.
@@ -41,7 +40,10 @@ module Authlogic
 
           klass.class_eval do
             include InstanceMethods
-            validates_uniqueness_of :single_access_token, if: :single_access_token_changed?
+            validates_uniqueness_of :single_access_token,
+              case_sensitive: true,
+              if: :will_save_change_to_single_access_token?
+
             before_validation :reset_single_access_token, if: :reset_single_access_token?
             if respond_to?(:after_password_set)
               after_password_set(

data/lib/authlogic/config.rb

@@ -1,6 +1,10 @@
+# frozen_string_literal: true
+
 module Authlogic
+  # Mixed into `Authlogic::ActsAsAuthentic::Base` and
+  # `Authlogic::Session::Base`.
   module Config
-    E_USE_NORMAL_RAILS_VALIDATION = <<~EOS.freeze
+    E_USE_NORMAL_RAILS_VALIDATION = <<~EOS
       This Authlogic configuration option (%s) is deprecated. Use normal
       ActiveRecord validation instead. Detailed instructions:
       https://github.com/binarylogic/authlogic/blob/master/doc/use_normal_rails_validation.md
@@ -8,6 +12,10 @@ module Authlogic
 
     def self.extended(klass)
       klass.class_eval do
+        # TODO: Is this a confusing name, given this module is mixed into
+        # both `Authlogic::ActsAsAuthentic::Base` and
+        # `Authlogic::Session::Base`? Perhaps a more generic name, like
+        # `authlogic_config` would be better?
         class_attribute :acts_as_authentic_config
         self.acts_as_authentic_config ||= {}
       end

data/lib/authlogic/controller_adapters/abstract_adapter.rb

@@ -1,10 +1,14 @@
+# frozen_string_literal: true
+
 module Authlogic
   module ControllerAdapters # :nodoc:
-    # Allows you to use Authlogic in any framework you want, not just rails. See the RailsAdapter
-    # for an example of how to adapt Authlogic to work with your framework.
+    # Allows you to use Authlogic in any framework you want, not just rails. See
+    # the RailsAdapter for an example of how to adapt Authlogic to work with
+    # your framework.
     class AbstractAdapter
       E_COOKIE_DOMAIN_ADAPTER = "The cookie_domain method has not been " \
-        "implemented by the controller adapter".freeze
+        "implemented by the controller adapter"
+      ENV_SESSION_OPTIONS = "rack.session.options"
 
       attr_accessor :controller
 
@@ -26,7 +30,7 @@ module Authlogic
       end
 
       def cookie_domain
-        raise NotImplementedError.new(E_COOKIE_DOMAIN_ADAPTER)
+        raise NotImplementedError, E_COOKIE_DOMAIN_ADAPTER
       end
 
       def params
@@ -41,6 +45,26 @@ module Authlogic
         request.content_type
       end
 
+      # Inform Rack that we would like a new session ID to be assigned. Changes
+      # the ID, but not the contents of the session.
+      #
+      # The `:renew` option is read by `rack/session/abstract/id.rb`.
+      #
+      # This is how Devise (via warden) implements defense against Session
+      # Fixation. Our implementation is copied directly from the warden gem
+      # (set_user in warden/proxy.rb)
+      def renew_session_id
+        env = request.env
+        options = env[ENV_SESSION_OPTIONS]
+        if options
+          if options.frozen?
+            env[ENV_SESSION_OPTIONS] = options.merge(renew: true).freeze
+          else
+            options[:renew] = true
+          end
+        end
+      end
+
       def session
         controller.session
       end

data/lib/authlogic/controller_adapters/rack_adapter.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Authlogic
   module ControllerAdapters
     # Adapter for authlogic to make it function as a Rack middleware.

data/lib/authlogic/controller_adapters/rails_adapter.rb

@@ -1,4 +1,4 @@
-require "action_controller"
+# frozen_string_literal: true
 
 module Authlogic
   module ControllerAdapters
@@ -7,8 +7,6 @@ module Authlogic
     # Similar to how ActiveRecord has an adapter for MySQL, PostgreSQL, SQLite,
     # etc.
     class RailsAdapter < AbstractAdapter
-      class AuthlogicLoadedTooLateError < StandardError; end
-
       def authenticate_with_http_basic(&block)
         controller.authenticate_with_http_basic(&block)
       end
@@ -16,12 +14,11 @@ module Authlogic
       # Returns a `ActionDispatch::Cookies::CookieJar`. See the AC guide
       # http://guides.rubyonrails.org/action_controller_overview.html#cookies
       def cookies
-        controller.send(:cookies)
+        controller.respond_to?(:cookies, true) ? controller.send(:cookies) : nil
       end
 
       def cookie_domain
-        @cookie_domain_key ||= Rails::VERSION::STRING >= "2.3" ? :domain : :session_domain
-        controller.request.session_options[@cookie_domain_key]
+        controller.request.session_options[:domain]
       end
 
       def request_content_type
@@ -32,26 +29,7 @@ module Authlogic
       # "activates" authlogic.
       module RailsImplementation
         def self.included(klass) # :nodoc:
-          if defined?(::ApplicationController)
-            raise AuthlogicLoadedTooLateError.new(
-              <<~EOS.squish
-                Authlogic is trying to add a callback to ActionController::Base
-                but ApplicationController has already been loaded, so the
-                callback won't be copied into your application. Generally this
-                is due to another gem or plugin requiring your
-                ApplicationController prematurely, such as the
-                resource_controller plugin. Please require Authlogic first,
-                before these other gems / plugins.
-              EOS
-            )
-          end
-
-          # In Rails 4.0.2, the *_filter methods were renamed to *_action.
-          if klass.respond_to? :prepend_before_action
-            klass.prepend_before_action :activate_authlogic
-          else
-            klass.prepend_before_filter :activate_authlogic
-          end
+          klass.prepend_before_action :activate_authlogic
         end
 
         private
@@ -64,7 +42,6 @@ module Authlogic
   end
 end
 
-ActionController::Base.send(
-  :include,
-  Authlogic::ControllerAdapters::RailsAdapter::RailsImplementation
-)
+ActiveSupport.on_load(:action_controller) do
+  include Authlogic::ControllerAdapters::RailsAdapter::RailsImplementation
+end

data/lib/authlogic/controller_adapters/sinatra_adapter.rb

@@ -1,7 +1,10 @@
+# frozen_string_literal: true
+
 # Authlogic bridge for Sinatra
 module Authlogic
   module ControllerAdapters
     module SinatraAdapter
+      # Cookie management functions
       class Cookies
         attr_reader :request, :response
 
@@ -23,6 +26,7 @@ module Authlogic
         end
       end
 
+      # Thin wrapper around request and response.
       class Controller
         attr_reader :request, :response, :cookies
 
@@ -40,11 +44,13 @@ module Authlogic
         end
       end
 
+      # Sinatra controller adapter
       class Adapter < AbstractAdapter
         def cookie_domain
           env["SERVER_NAME"]
         end
 
+        # Mixed into `Sinatra::Base`
         module Implementation
           def self.included(klass)
             klass.send :before do

data/lib/authlogic/cookie_credentials.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module Authlogic
+  # Represents the credentials *in* the cookie. The value of the cookie.
+  # This is primarily a data object. It doesn't interact with controllers.
+  # It doesn't know about eg. cookie expiration.
+  #
+  # @api private
+  class CookieCredentials
+    # @api private
+    class ParseError < RuntimeError
+    end
+
+    DELIMITER = "::"
+
+    attr_reader :persistence_token, :record_id, :remember_me_until
+
+    # @api private
+    # @param persistence_token [String]
+    # @param record_id [String, Numeric]
+    # @param remember_me_until [ActiveSupport::TimeWithZone]
+    def initialize(persistence_token, record_id, remember_me_until)
+      @persistence_token = persistence_token
+      @record_id = record_id
+      @remember_me_until = remember_me_until
+    end
+
+    class << self
+      # @api private
+      def parse(string)
+        parts = string.split(DELIMITER)
+        unless (1..3).cover?(parts.length)
+          raise ParseError, format("Expected 1..3 parts, got %d", parts.length)
+        end
+        new(parts[0], parts[1], parse_time(parts[2]))
+      end
+
+      private
+
+      # @api private
+      def parse_time(string)
+        return if string.nil?
+        ::Time.parse(string)
+      rescue ::ArgumentError => e
+        raise ParseError, format("Found cookie, cannot parse remember_me_until: #{e}")
+      end
+    end
+
+    # @api private
+    def remember_me?
+      !@remember_me_until.nil?
+    end
+
+    # @api private
+    def to_s
+      [
+        @persistence_token,
+        @record_id.to_s,
+        @remember_me_until&.iso8601
+      ].compact.join(DELIMITER)
+    end
+  end
+end

data/lib/authlogic/crypto_providers/bcrypt.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "bcrypt"
 
 module Authlogic
@@ -64,10 +66,8 @@ module Authlogic
 
         def cost=(val)
           if val < ::BCrypt::Engine::MIN_COST
-            raise ArgumentError.new(
-              "Authlogic's bcrypt cost cannot be set below the engine's " \
+            raise ArgumentError, "Authlogic's bcrypt cost cannot be set below the engine's " \
                 "min cost (#{::BCrypt::Engine::MIN_COST})"
-            )
           end
           @cost = val
         end

data/lib/authlogic/crypto_providers/md5/v2.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require "digest/md5"
+
+module Authlogic
+  module CryptoProviders
+    class MD5
+      # A poor choice. There are known attacks against this algorithm.
+      class V2
+        class << self
+          attr_accessor :join_token
+
+          # The number of times to loop through the encryption.
+          def stretches
+            @stretches ||= 1
+          end
+          attr_writer :stretches
+
+          # Turns your raw password into a MD5 hash.
+          def encrypt(*tokens)
+            digest = tokens.flatten.join(join_token)
+            stretches.times { digest = Digest::MD5.digest(digest) }
+            digest.unpack1("H*")
+          end
+
+          # Does the crypted password match the tokens? Uses the same tokens that
+          # were used to encrypt.
+          def matches?(crypted, *tokens)
+            encrypt(*tokens) == crypted
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/md5.rb

@@ -1,14 +1,14 @@
+# frozen_string_literal: true
+
 require "digest/md5"
 
 module Authlogic
   module CryptoProviders
-    # This class was made for the users transitioning from md5 based systems.
-    # I highly discourage using this crypto provider as it superbly inferior
-    # to your other options.
-    #
-    # Please use any other provider offered by Authlogic (except AES256, that
-    # would be even worse).
+    # A poor choice. There are known attacks against this algorithm.
     class MD5
+      # V2 hashes the digest bytes in repeated stretches instead of hex characters.
+      autoload :V2, File.join(__dir__, "md5", "v2")
+
       class << self
         attr_accessor :join_token
 

data/lib/authlogic/crypto_providers/scrypt.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "scrypt"
 
 module Authlogic

data/lib/authlogic/crypto_providers/sha1/v2.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require "digest/sha1"
+
+module Authlogic
+  module CryptoProviders
+    class Sha1
+      # A poor choice. There are known attacks against this algorithm.
+      class V2
+        class << self
+          def join_token
+            @join_token ||= "--"
+          end
+          attr_writer :join_token
+
+          # The number of times to loop through the encryption.
+          def stretches
+            @stretches ||= 10
+          end
+          attr_writer :stretches
+
+          # Turns your raw password into a Sha1 hash.
+          def encrypt(*tokens)
+            tokens = tokens.flatten
+            digest = tokens.shift
+            stretches.times do
+              digest = Digest::SHA1.digest([digest, *tokens].join(join_token))
+            end
+            digest.unpack1("H*")
+          end
+
+          # Does the crypted password match the tokens? Uses the same tokens that
+          # were used to encrypt.
+          def matches?(crypted, *tokens)
+            encrypt(*tokens) == crypted
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/sha1.rb

@@ -1,20 +1,21 @@
+# frozen_string_literal: true
+
 require "digest/sha1"
 
 module Authlogic
   module CryptoProviders
-    # This class was made for the users transitioning from
-    # restful_authentication. Use of this crypto provider is highly discouraged.
-    # It is far inferior to your other options. Please use any other provider
-    # offered by Authlogic.
+    # A poor choice. There are known attacks against this algorithm.
     class Sha1
+      # V2 hashes the digest bytes in repeated stretches instead of hex characters.
+      autoload :V2, File.join(__dir__, "sha1", "v2")
+
       class << self
         def join_token
           @join_token ||= "--"
         end
         attr_writer :join_token
 
-        # The number of times to loop through the encryption. This is ten
-        # because that is what restful_authentication defaults to.
+        # The number of times to loop through the encryption.
         def stretches
           @stretches ||= 10
         end

data/lib/authlogic/crypto_providers/sha256/v2.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require "digest/sha2"
+
+module Authlogic
+  # The acts_as_authentic method has a crypto_provider option. This allows you
+  # to use any type of encryption you like. Just create a class with a class
+  # level encrypt and matches? method. See example below.
+  #
+  # === Example
+  #
+  #   class MyAwesomeEncryptionMethod
+  #     def self.encrypt(*tokens)
+  #       # the tokens passed will be an array of objects, what type of object
+  #       # is irrelevant, just do what you need to do with them and return a
+  #       # single encrypted string. for example, you will most likely join all
+  #       # of the objects into a single string and then encrypt that string
+  #     end
+  #
+  #     def self.matches?(crypted, *tokens)
+  #       # return true if the crypted string matches the tokens. Depending on
+  #       # your algorithm you might decrypt the string then compare it to the
+  #       # token, or you might encrypt the tokens and make sure it matches the
+  #       # crypted string, its up to you.
+  #     end
+  #   end
+  module CryptoProviders
+    class Sha256
+      # = Sha256
+      #
+      # Uses the Sha256 hash algorithm to encrypt passwords.
+      class V2
+        class << self
+          attr_accessor :join_token
+
+          # The number of times to loop through the encryption.
+          def stretches
+            @stretches ||= 20
+          end
+          attr_writer :stretches
+
+          # Turns your raw password into a Sha256 hash.
+          def encrypt(*tokens)
+            digest = tokens.flatten.join(join_token)
+            stretches.times { digest = Digest::SHA256.digest(digest) }
+            digest.unpack1("H*")
+          end
+
+          # Does the crypted password match the tokens? Uses the same tokens that
+          # were used to encrypt.
+          def matches?(crypted, *tokens)
+            encrypt(*tokens) == crypted
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/sha256.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "digest/sha2"
 
 module Authlogic
@@ -27,6 +29,9 @@ module Authlogic
     #
     # Uses the Sha256 hash algorithm to encrypt passwords.
     class Sha256
+      # V2 hashes the digest bytes in repeated stretches instead of hex characters.
+      autoload :V2, File.join(__dir__, "sha256", "v2")
+
       class << self
         attr_accessor :join_token